Hi Spender & PaxTeam. I wanted to propose a few features for Grsec that are relevant beyond the privacy distros like Tails and Whonix (Disclosure: I am a developer of the latter). Convincing upstream Linux to adopt security measures is like smashing one's head against a very large brick wall so I am discussing it here where it counts and so millions of users can potentially benefit.

* TCP Timestamps leak a lot of sensitive data to the network like system uptime and allows attackers to fingerprint users and correlate timestamp leaks in Tor exit traffic with the timestamps in the client -> first hop circuit. Tails and us respond by completely disabling it despite documentation claiming performance problems without it. I recall seeing a patch you wrote for randomizing TCP Timestamps instead which could address privacy concerns but without affecting performance. Is it included in the TCP/IP hardening part of Grsec?

* nf_conntrack_helper : Tor's Jacob Appelbaum discussed a feature in this module that allows a bunch of legacy protocol parsers in the kernel when they have no business being there. These code paths were exploited before:

* TCP Initial Sequence Numbers: Under an attacker controlled CPU load, a server's kernel timers used for TCP ISNs skew at a predictable rate which can be used to deanonymize Hidden Services. Is it possible to randomize the timer output somehow to mitigate this?